Jokeroo
Jokeroo is a ransomware that is being promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server. It is part of Ransomware-as-a-Service. A Ransomware-as-a-Service is when a developer creates a ransomware and a payment site and allows affiliates to sign up and distribute the ransomware. As part of this deal, the affiliates and the developer will split the payments that are received from victims. According to a malware researcher named Damian, the Jokeroo RaaS first started promoting itself as a GandCrab Ransomware RaaS on the underground hacking forum Exploit.in. On October 19th, 2019, David Montenegro found a Tor site pretending to be the Jokeroo RaaS. Behavior Unlike most ransomware-as-a-service offerings, in order to become an affiliate a would-be criminal has to pay to join a particular membership package. These packages range from $90 USD, where the affiliate earns 85% of the ransom payments, to $300 and $600 packages where the affiliates keep all of the revenue and gets extra perks such as Salsa20 encryption, different ransomware variants, and different payment cryptocurrency options. Below is the base set of offerings a $90 affiliate gets when they join: You can change and customize your ransomware Name of the project Change the demand of ransom Change all the logo, An icon in format .ICO, Remove the jokeroo logo You can choose the extension A description to help the victim in format .TXT Ransomware update manually You can create 1 ransomware The victim can pay you in Bitcoin Withdrawal in Bitcoin You can infected in unlimited You will have news about the dashboard Undetectable by AV update regularly Spread manually Show the IP of the victim We will touch 15% fees ransom You will be able to manage all the victims since the dashboard Display: CD key, PC Name, Encrypted files, Operating System (OS) Lifetime license ! Included on the page are images of the dashboard that an affiliate would gain access. For example, below the user can see the main dashboard page for the Jokeroo RaaS. This dashboard will also allow affiliates to see a list of their victims, when they were infected, and if they have paid. Affiliates will also be able to dig down deeper into the victim list to see their IP addresses, Windows version, and geographic location. Once again, while the RaaS page has been created, there is no indication that this ransomware is currently being distributed. Since May 7th, 2019, the Tor sites for the Jokeroo Ransomware as a Service (RaaS) have started displaying a notice stating that their server was seized by the Royal Thai Police in conjunction with the Dutch National Police and Europol. It turns out that this notice is fake and the RaaS is performing an exit scam. The seized notice on Jokeroo's Tor servers has missing words, had unusual wording, and was more descriptive regarding why the site was seized that the user would normally see. The full text of this notice can be read below: THIS HIDDEN HAS BEEN SEIZED by the Royal Thai Police in conjunction with the Dutch National Police and Europol What have you done? The police investigation focus on the criminal activities of Jokeroo and the people behind Jokeroo. Jokeroo uses the Dutch (digital) infrastructure to provide services to criminals by renting out servers from which criminal activities can be deployed such as sending spam messages and causing RANSOMWARE attacks, The takedown of Jokeroo is a coordinated effort by law enforcement agencies from Thailand and The Netherlands, Europol. Payload Transmission Jokeroo is generally propagated using corrupted spam email attachments. Infection Once Jokeroo has been installed, it uses the AES encryption to encrypt the victim's data, making the files inaccessible. The following are examples of the files that threats like Jokeroo target in these attacks: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar. Once the victim's files have been changed, Jokeroo demands a ransom payment from the victim, delivering a ransom note in the form of a text or HTML file, which asks the victim to get in touch with the criminals via email or make a payment to a specific Bitcoin wallet. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Win32 trojan Category:Trojan